Enumeration belongs to the first phase of Ethical Hacking. This is a process where the attacker establishes an active connection with the victim and tries to discover as many attack vectors as possible, which can be used to exploit the systems further.

Enumeration can be used to gain information on:

  1. Network shares
  2. SNMP data, if they are not secured properly
  3. IP Tables
  4. Usernames of different systems
  5. Passwords policies lists

Enumerations depend on the services that the systems offer:

  1. DNS
  2. NTP
  3. SNMP
  4. Linux/Windows
  5. SMB

Let us now discuss some of the tools that are widely used for Enumeration

NTP SUITE

NTP Suite is used for NTP enumeration. This is important because in a network environment, you can find other primary servers that help the hosts to update their times and you can do it without authenticating the system.

Take a look at the following example.

ntpdate 192.168.1.100

01 Sept 12:50:49 ntpdate[627]: adjust time server 192.168.1.100 offset - 0.005030 sec

or

# ntpdc [-ilnps] [-c command] [hostname/IP_address]
ntpdc -c sysinfo 192.168.1.100
***Warning changing to older implementation
***Warning changing the request packet size from 160 to 48 system peer: 192.168.1.101
system peer mode: client

leap indicator: 00
stratum: 5
precision: -15
root distance: 0.00107 s root dispersion: 0.02306 s
reference ID: [192.168.1.101]
reference time: f66s4f45.f633e130, Sept 01 2016 22:06:23.458 system flags: monitor ntp stats calibrate
jitter: 0.000000 s
stability: 4.256 ppm
broadcastdelay: 0.003875 s
authdelay: 0.000107 s

ENUM4LINUX

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from https://www.bindview.com. Enum4Linux is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. If you don't have Enum4Linux yet installed on your machine, you can do it using the following commands.

sudo git clone https://github.com/portcullislabs/enum4linux
cd enum4linux && sudo chmod +x enum4linux.pl

Once you are ready, you can simply run the tool on your own internal IP to see all the information that a simple scan can retrieve. If you are not sure about your local IP, you can execute "ifconfig" in order to find it. In the below example the local IP address is referenced as "192.168.1.102".

./enum4linux.pl -U -o 192.168.1.102

Output

Identify Sensitive Information using Network Enumeration


SMTP-USER-ENUM

The tool smtp-user-enum is also written in Perl and is used to enumerate OS-level user accounts via the SMTP service. Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands. If you don't have smtp-user-enum yet installed on your machine, you can do it using the following commands.

sudo git clone https://github.com/pentestmonkey/smtp-user-enum
cd smtp-user-enum && sudo chmod +x smtp-user-enum.pl

When you already installed the tool, you can have a look on how it work by trying it on your local machine with the user root.

./enum4linux.pl -U -o 192.168.1.102

Output

Identify Sensitive Information using Network Enumeration

QUICK FIX

It is recommended to disable all services that you don’t use. It reduces the possibilities of OS enumeration of the services that your systems are running.